EnCase + F-Response + EnScript = very affordable network forensics & eDiscovery

Most of you are familiar with and have seen the numerous posts on various blogs & websites about the capabilities of F-Response. If you don't already own F-Response, you should go here first!

I don't work for F-Response or Guidance Software, nor do I have any financial interest in either of their successes. I have been using EnCase for many years and have "cut my teeth" using EnCase, so it's one of the primary tools I use. But I cannot personally afford EnCase Enterprise, so I am always looking for alternative ways to perform "Enterprise-wide" forensics. Enter F-Response.

F-Response really helps bridge the gap of available affordable tools that enable an examiner to do network based forensics or remote collections. The only limitation with F-Response was that you really could not automate F-Response in an unattended fashion and have it work together with EnCase, until now :))

Matthew Shannon at F-Response has released a version of F-Response Enterprise that now contains a scriptable object. That object can be controlled by any program that supports COM. So basically, using the standard off-the-shelf version of EnCase Forensic, you can automate the remote connection, analysis and collection of whatever data you want, based on whatever criteria you wish via EnScript.

Below is a fully functional proof-of-concept EnScript that works with the new version of F-Response Enterprise Edition. Requirements:

You need EnCase Forensic version or Law Enforcement version (not Enterprise)
You need the most recent version of F-Response Enterprise version (download page of http://www.f-response.com/) and the new F-Response scriptable COM object.

To make this POC EnScript work, you need to have the latest version of F-Response Enterprise installed and the basic configuration information completed in the FEMC. Below is an example of the required information that needs to be set in the FEMC:

Once you have this information configured, you do not need the FEMC running, but you do need the F-Response License Manager running and your F-Response dongle connected.

Once you have the above completed, you can open EnCase and run the EnScript below. It will ask for the credentials for the remote machine. The credentials are used to install, start, stop and uninstall the F-Response client on the remote machine, just like if you were doing this manually in the FEMC. The F-Response client does not neet to be installed and/or running already. Specify a remote IP address (or several) then click "OK":

This POC EnScript is specifically designed to search all the remote IP addresses (or machine names) and find a specific file named "F-Response_text.txt" (case sensitive) on the remote machine. If the file is found, EnCase will print out the full path, logical size and created date in the console. This is just a basic POC to demonstrate the capabilities, but the possibilities are endless. You can do *anything* you could normally do while looking at a local disk or evidence file in EnCase. Want to connect to a list of remote machines and collect certain files that match certain criteria? i.e. size, extension, location, whatever? No problem, it can now be done programmatically.

If you were starting from scratch and didn't have either of these tools, the total price to get the tools would be about $8,500. The great thing is both of these are already widely used and owned by many people. You may not have the Enterprise version of F-Response, but you can upgrade to that and have this capability for just a few thousand dollars.

If you are interested in beta testing a full version of the EnScript that collects files based on user-definable criteria, send me an email at beta(at)forensickb.com with "beta test" in the subject line.

Download Here

F-Response to the rescue!

A few weeks ago, I received an evaluation version of the new F-Response tool. Although I knew it was coming and I was excited to try it out, I received it while I was out of town and when I returned I was inundated with work and could not play with it immediately as I had hoped, so instead it sat in the shipping envelope in my car.

Last week, I was called by a company who has been the victim of the SQL injection attack. They were frantic and wanted help immediately. I saddled up and grabbed by response kit and met with the company. After getting all the particulars, I responded to the data center where there were two computers that needed to be imaged.

As I setup my gear, The system admin explained that their main back-end SQL server was tied to *everything* and there was no cluster or back-up server, so I could not shut the system down or even reboot it, as it would interrupt their business. I thought, no problem, I will image it live. As I looked at the Dell 2U rack server, I noticed one USB port on the front and two on the back. I collected volatile data and saved the data off to a small USB flash disk. I noticed that the volatile data collection was taking a lot longer than normal. I then asked how old the server was and if the USB was 2.0 or 1.1.....uh-oh.....1.1

I then examined the installed hard drives and found there were 5 SCSI hard drives making up a RAID 5 system. The operating system saw one physical disk, consisting of two logical partitions, totaling 1.1TB.

After he told me it was USB 1.1, I paused for a bit thinking through all the possible scenarios:

A. Use USB 1.1 and save the live image off to a removable USB hard drive
B. Insert a USB 2.0 card (required a reboot and this was not an option)
C. Insert a Firewire card (required a reboot and this was not an option)
D. Use netcat/cryptcat to throw the image across the network to another device
E. Use FTK imager and save the image to a network share.

I figured I would try option A and see how long the image would take. After setting everything up, I started FTK imager and it began to level out at 440 hours....hmmm...440/24 = 18.3 days... ouch!

So option A was out. After thinking a bit, I decided to use option F, F-Response! I remember that I had the package with me, but had not tried it out yet. I retrieved the package from my car and set up a VMware machine on my forensic laptop and went through the installation. I then tested it out using EnCase as the imaging platform and found it worked flawlessly.

I was still concerned about sending 1.1TB of data across the network wire that was actively being used by clients and the web server. After digging around a bit, I found a separate gigabit NIC adapter on the back of the server that was not being used, so I used a crossover cable connected directly to my laptop and statically setup some IP addresses. I then copied the F-Response client application to a flash disk and ran it on the target server. Two minutes later, I had a direct connection and the 1.1TB drive was showing up on my forensic laptop as a local drive. I started EnCase and previewed the drive. I started the imaging process using EnCase and it reported 30 hours until completion, much better than 18 days..;)

--fast forward-->

28 hours later the image was done. When the dust settled, I had an EnCase image file sitting on a Lacie 2 TB removable drive that was complete and verified correctly.

The F-Response setup process took all of about 5 minutes and was extremely easy. There is a very small learning curve in order to understand how it works. The best part of it is that it allows you to use whatever forensic platforms you normally use, the F-Response tool is not a forensic analysis tool itself, but instead is a type of conduit that connects remote hard drives to your local workstation so that your traditional tools can be used.

Hogfly posted a cool video of using F-Response here: http://forensicir.blogspot.com/2008/04/ripping-registry-live.html

Harlan also posted a blog about this tool here:
http://windowsir.blogspot.com/2008/05/f-response.html

There is also a great little demo video on how the tool works on the F-Response website: http://www.f-response.com/

If you have not seen this tool yet, I highly recommend you take advantage of their $100 trial version. Their field kit, consultant and enterprise versions are insanely priced compared to the price point of other forensic tools. Once you see or try this tool I think it will find a permanent home in your response kit, like mine has!